From a154e45f2aa4eabf5b991e00a8ffc3968d879c03 Mon Sep 17 00:00:00 2001
From: Vara Kumar <102720382+vara2504@users.noreply.github.com>
Date: Mon, 30 Dec 2024 13:58:33 -0800
Subject: [PATCH] =?UTF-8?q?Revert=20"Restrict=20tigera-operator=20secret?=
 =?UTF-8?q?=20access=20to=20namespace=20only,=20retain=20get/=E2=80=A6"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 33bd5ce07dd66ca391768be946e4c8060a8984f2.
---
 .../02-role-tigera-operator-secrets.yaml      | 16 --------
 .../02-role-tigera-operator.yaml              |  2 +-
 ...2-rolebinding-tigera-operator-secrets.yaml | 15 --------
 .../ocp/02-role-tigera-operator-secrets.yaml  | 16 --------
 manifests/ocp/02-role-tigera-operator.yaml    |  2 +-
 ...2-rolebinding-tigera-operator-secrets.yaml | 15 --------
 manifests/tigera-operator.yaml                | 37 +------------------
 7 files changed, 3 insertions(+), 100 deletions(-)
 delete mode 100644 charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
 delete mode 100644 charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
 delete mode 100644 manifests/ocp/02-role-tigera-operator-secrets.yaml
 delete mode 100644 manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml

diff --git a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
deleted file mode 100644
index 21b25a64c6c..00000000000
--- a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# Permissions required to manipulate operator secrets for a Calico cluster.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tigera-operator-secrets
-  labels:
-    {{- include "tigera-operator.labels" (dict "context" .) | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-      - update
-      - delete
diff --git a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
index 0b383e63338..0bb34397cc6 100644
--- a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
+++ b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
@@ -61,6 +61,7 @@ rules:
       - endpoints
       - events
       - configmaps
+      - secrets
       - serviceaccounts
     verbs:
       - create
@@ -73,7 +74,6 @@ rules:
       - ""
     resources:
       - resourcequotas
-      - secrets
     verbs:
       - list
       - get
diff --git a/charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml b/charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
deleted file mode 100644
index 785b4509138..00000000000
--- a/charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tigera-operator-secrets
-  namespace: {{.Release.Namespace}}
-  labels:
-    {{- include "tigera-operator.labels" (dict "context" .) | nindent 4 }}
-subjects:
-  - kind: ServiceAccount
-    name: {{.Release.Namespace}}
-    namespace: {{.Release.Namespace}}
-roleRef:
-  kind: ClusterRole
-  name: tigera-operator-secrets
-  apiGroup: rbac.authorization.k8s.io
diff --git a/manifests/ocp/02-role-tigera-operator-secrets.yaml b/manifests/ocp/02-role-tigera-operator-secrets.yaml
deleted file mode 100644
index 57913347c1f..00000000000
--- a/manifests/ocp/02-role-tigera-operator-secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# Permissions required to manipulate operator secrets for a Calico cluster.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tigera-operator-secrets
-  labels:
-    k8s-app: tigera-operator
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-      - update
-      - delete
diff --git a/manifests/ocp/02-role-tigera-operator.yaml b/manifests/ocp/02-role-tigera-operator.yaml
index 044253fb50c..99b46a6ccbd 100644
--- a/manifests/ocp/02-role-tigera-operator.yaml
+++ b/manifests/ocp/02-role-tigera-operator.yaml
@@ -59,6 +59,7 @@ rules:
       - endpoints
       - events
       - configmaps
+      - secrets
       - serviceaccounts
     verbs:
       - create
@@ -71,7 +72,6 @@ rules:
       - ""
     resources:
       - resourcequotas
-      - secrets
     verbs:
       - list
       - get
diff --git a/manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml b/manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml
deleted file mode 100644
index 693a694ec9f..00000000000
--- a/manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tigera-operator-secrets
-  namespace: tigera-operator
-  labels:
-    k8s-app: tigera-operator
-subjects:
-  - kind: ServiceAccount
-    name: tigera-operator
-    namespace: tigera-operator
-roleRef:
-  kind: ClusterRole
-  name: tigera-operator-secrets
-  apiGroup: rbac.authorization.k8s.io
diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml
index 4c9cec17a7e..174a23a15b4 100644
--- a/manifests/tigera-operator.yaml
+++ b/manifests/tigera-operator.yaml
@@ -22253,24 +22253,6 @@ metadata:
 imagePullSecrets:
   []
 ---
-# Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
-# Permissions required to manipulate operator secrets for a Calico cluster.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tigera-operator-secrets
-  labels:
-    k8s-app: tigera-operator
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-      - update
-      - delete
----
 # Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
 # Permissions required when running the operator for a Calico cluster.
 apiVersion: rbac.authorization.k8s.io/v1
@@ -22290,6 +22272,7 @@ rules:
       - endpoints
       - events
       - configmaps
+      - secrets
       - serviceaccounts
     verbs:
       - create
@@ -22302,7 +22285,6 @@ rules:
       - ""
     resources:
       - resourcequotas
-      - secrets
     verbs:
       - list
       - get
@@ -22597,23 +22579,6 @@ roleRef:
   name: tigera-operator
   apiGroup: rbac.authorization.k8s.io
 ---
-# Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tigera-operator-secrets
-  namespace: tigera-operator
-  labels:
-    k8s-app: tigera-operator
-subjects:
-  - kind: ServiceAccount
-    name: tigera-operator
-    namespace: tigera-operator
-roleRef:
-  kind: ClusterRole
-  name: tigera-operator-secrets
-  apiGroup: rbac.authorization.k8s.io
----
 # Source: tigera-operator/templates/tigera-operator/02-tigera-operator.yaml
 apiVersion: apps/v1
 kind: Deployment